As the conflict in Ukraine continues, cyberwar continues to be a critical part of the narrative on a global scale.
The necessity for organizations to understand their own attack surface more intimately has emerged as absolutely essential in order for organizations to remain vigilant in protecting business operations.
Cyber Security Works is committed to sharing the intelligence and the insights around the trends, patterns and signals that are meaningful to understand for any security practitioner today. This comes from vulnerability assessments and scans that CSW executes in order to identify areas where vulnerabilities emerge from malware and ransomware strains that might be immediately evident with other scans of data sets.
In this bulletin, we share with you our research on the current threats posed by malware and ransomware spawning out of the conflict in Ukraine. It also poses a very important question to organizations in Europe, the UK, and the US:
How prepared are you to tackle the threat posed by unidentified, undetected and yet-to-be-exploited Ransomware threats or dangerous malware such as WhisperGate?
This blog leverages our vulnerability research expertise as we delve deep into ransomware and malware threats that have become noticeably more present and active in this cyberwar.
Note: This is a developing story. CSW experts will continue their research and publish their analysis as and when new threat groups emerge.
Conti Ransomware
One of the most disastrous ransomware groups in recent times, the Conti ransomware has not missed out on any opportunity to capitalize on high-profile cyber events and vulnerable weaknesses. While this was one of the first mature ransomware groups to act on the Apache Log4j vulnerability, the Conti group has marked its presence in this cyber war by initially declaring its support to Russia, which it later retracted. (Probably because Ukrainian researchers got back at the group by leaking their internal chats and source code, putting them in a tight spot.)
The Conti group is associated with the Russian threat actor Wizard Spider and has of late been on a weaponry acquisition spree, adding the most dangerous vulnerabilities like ProxyShell, ProxyLogon, Log4j, alongside trickbot malware, SEO poisoning methods, and a revived emotet botnet.
|
Conti |
|
|---|---|
|
Vulnerabilities Associated |
17 |
|
Vendors Affected |
3+ |
|
CVSS Severity |
Critical – 7 High – 9 Medium – 1 |
|
Public Exploits Available |
CVE-2021-34527, CVE-2017-0144, CVE-2020-1472, CVE-2017-0143, CVE-2017-0148, CVE-2020-0796, CVE-2021-44228, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2018-13374, CVE-2018-13379, CVE-2021-1675, CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 |
.png)
LockBit Ransomware
The LockBit ransomware group, while not as ravenous as Conti or Revil, has silently climbed up the ranks to be one of the top ransomware contenders in 2021. With a revamped 2.0 version with a new information-stealing trojan, LockBit was responsible for many attacks on Accenture, Bangkok airways, IT companies, and the industrial sector.
LockBit is known for its double extortion technique, encrypting victims’ data while also threatening to leak or sell them. They exploit public-facing applications, external remote services, valid accounts and use phishing as a means to gain initial access into vulnerable networks.
|
Lockbit |
|
|---|---|
|
Vulnerabilities Associated |
2 |
|
Vendors Affected |
2 |
|
CVSS Severity |
Critical – 2 High – 0 Medium – 0 |
|
Public Exploits Available |
CVE-2021-22986, CVE-2018-13379 |
WhisperGate
WhisperGate is a new malicious malware that was unleashed in January 2022 to target Ukraine’s organizations. The malware is capable of wiping files, corrupting disks, and can prevent the operating system from loading. It was also responsible for defacing several websites associated with the Ukrainian government.
On February 14, 2021, a massive DDoS attack wreaked havoc across Ukraine, crashing major government websites. Although the impact was minimal, the ramifications were not. The Armed Forces of Ukraine, the Ministry of Defense, Oschadbank (the State Savings Bank), and Privatbank, the country’s largest commercial bank with approximately 20 million clients, were all targeted.
|
WhisperGate |
|
|---|---|
|
Vulnerabilities Associated |
13 |
|
Vendors Affected |
8+ |
|
CVSS Severity |
Critical – 3 High – 3 Medium – 6 Note: 1 CVE does not have a CVSS score |
|
Public Exploits Available |
CVE-2021-44228, CVE-2021-32648, CVE-2022-0215 |
.png)
HermeticWiper
The HermeticWiper, believed to be the same as the brand new Foxblade malware, has now been identified as responsible for a round of calamitous cyberattacks against Ukraine’s digital landscape, hours before the missile strike began on March 02, 2021. This malware is capable of causing Distributed Denial-of-Service (DDoS) attacks unknown to users, to the extent of rendering victims’ systems useless.
The data wiper malware, as it is popularly addressed, does not need any network communication controls, thus making it difficult to detect, unless downloaded. This sophisticated malware strain targets drivers of disk management software and the word is that hundreds of computers in Ukraine have fallen victim to the strain. The latest is that the malware contains three components – HermeticWiper for data corruption, Hermetic Wizard for penetration, and Hermetic Ransom, a ransomware module that is believed to be a deception tactic. A decryptor is now available for Hermetic ransomware.
|
Hermetic Wiper |
|
|---|---|
|
Vulnerabilities Associated |
6 |
|
Vendors Affected |
2 |
|
CVSS Severity |
Critical – 3 High – 3 Medium – 0 |
|
Public Exploits Available |
CVE-2021-26855, CVE-2021-34523, CVE-2021-34473, CVE-2021-31207, CVE-2021-1636, CVE-2022-23181 |
IsaacWiper
IsaacWiper is the latest addition to the list of threats against Ukraine, and the second data wiper malware after Hermetic Wiper. The wiper was found waging attacks against a government network on March 03, 2021, and is believed to be part of a completely different campaign from its Hermetic counterpart.
A prominent component of the IsaacWiper is the enumeration of all physical and logical drives before the file clean operation. This could be an indication that attackers are looking to understand some unpredicted behavior from previously targeted machines, researchers hint.
|
Isaac Wiper |
|
|---|---|
|
Vulnerabilities Associated |
3 |
|
Vendors Affected |
2 |
|
CVSS Severity |
Critical – 1 High – 2 Medium – 0 |
|
Public Exploits Available |
CVE-2020-0688, CVE-2020-17144, CVE-2018-13379 |
Vulnerabilities associated with the Russian Threats
Early Warning
Of the 35 vulnerabilities, CSW’s experts had predicted a high probability of exploitability for 21 of the vulnerabilities much before the spurt in activity of the associated APT groups, in relation to the Russia-Ukraine cyber war.
Here is a look into the early warnings based on CSW’s research.
The consequences of a cyberwar will have serious repercussions on critical entities, infrastructure, and supply chain organizations in the western countries. Interestingly, these threat actors are targeting vulnerabilities that have been in the limelight for long.
49% of the vulnerabilities exploited by these ransomware and malware threats are available in CISA’s KEV. CSW researchers have also called out 54% of these vulnerabilities, warning organizations to patch them.
Our recommendations to businesses and organizations are the following –
-
Patching the vulnerabilities that threat groups and attackers exploit is our first recommendation. We would also recommend patching CISA’s KEV (Known Exploited Vulnerabilities) catalog which has 489 CVEs that are often targeted by hackers and attackers.
-
Continuous Vulnerability Scanning, knowing how exposed you are to ransomware threats and determining your security posture through proactive penetration testing and red teaming exercises are recommended.
-
In the long run, organizations need to budget for an Attack Surface Management platform that discovers known and unknown assets and helps security teams to remediate critical exposures and gaps in security.
Are American companies and public sector departments patched up for these vulnerabilities?
Get in touch with CSW for Red Teaming and VMaaS services.